Got a SmartPhone? If it’s the T-mobile G1, you need to be aware of a potential hack to the Google Android software that accompanies it. Apple updates iPhoto just in time for the holidays, and Todd Ogasawara at DigitalMedia Blog shares his experience syncing his Mac with his G1. A guy who wants to see his hair turn gray, indeed. It’s time for the Tuesday Tech Roundup.

by Gregg Keizer, Computerworld, October 28,2008

“A noted security researcher Monday warned users of T-Mobile’s G1 smart phone that a critical vulnerability in Google’s Android operating system could be used to hack their phones.

Led by Charlie Miller , a researcher who has rooted out high-profile bugs in Apple Inc. ’s Mac OS X and iPhone , a team from Independent Security Evaluators (ISE) identified the bug and reported it to Google last week. ISE is a Baltimore-based security consultancy where Miller works. Miller, who declined to get specific about the vulnerability, said only that it is a buffer overflow bug that could be exploited by tricking G1 users into visiting malicious sites. “There’s a chance that the attacker could execute malicious code remotely” with the same privileges as the user of the phone’s browser, Miller said.

T-Mobile started shipping the G1 shortly before the 22 October launch date ; the phone is the first powered by Google’s open-source mobile phone operating system, Android.

Miller said that after alerting Google, a security researcher from its Android team contacted him for more information, and to ask that he withhold information until a patch was in place. Miller refused to wait, but promised not to disclose any details or technical information that could be used by hackers. “People should know that there’s a problem with the G1 before they buy it,” Miller said as he defended his actions. “I don’t want to help the bad guys either, but people should have all the information before they make a decision to buy [the phone]. I think I’m totally in the right here.”

Google did not respond to a request for comment, or to questions about the status of any patch for Android and the G1. Miller also said that he and others at ISE had crafted a working exploit, but would not release it until a patch is in hand.

According to a more detailed warning on the ISE site, the flaw is within one of the more than 80 different open-source packages used by Google to assemble Android. Miller blamed the bug on Google’s use of outdated code. “This particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version,” said the ISE alert.
Miller declined to name the specific open-source package at fault.

Google has been caught in the same bind before. Because it used an older version of WebKit , the open-source rendering engine that also powers Apple’s Safari, for the foundation of its own Chrome browser, users were at risk from attacks based on a months-old flaw that had been dubbed the “carpet bomb” bug.

Google patched the carpet bomb vulnerability in a development build of Chrome two weeks ago. Miller is well known in the Mac and iPhone vulnerability research community, and was on the same three-man ISC team that spotted and reported the first bug in Apple’s iPhone shortly after it launched in mid-2007. Several months before that, he walked off with a $10,000 prize in an inaugural hacking contest by cracking an Apple laptop running Mac OS X in less than two minutes.

“I like the iPhone,” said Miller, “but the G1 actually has a lot better security. In Android, Google uses this compartmentalized security architecture, application sandboxing really, so that each app runs as its own user and can access only its own files. So even though I can exploit the browser, I can’t read the person’s e-mail.” But even though it boasts stronger security, the G1 is still dangerous, Miller said, blaming user naivete.

“People are trained to be careful when they’re browsing from the desktop or laptop, but hand them a phone and all the rules seems to go out the window,” Miller said. “They use [their smart phone] to do everything they do on the desktop, but they forget they can get into trouble browsing from their phone.”

by Philip Michaels, Macworld.com, October 27,2008

Apple has released an update for iPhoto that focuses on the photo-sharing features of the image-editing and organization program. According to Apple’s sparse release notes, iPhoto 7.1.5 â€œimproves the printing quality of books, cards and calendars ordered via the iPhoto printing service.â€

The slender 9MB update is available through Software Update and Apple’s Web site. iPhoto 7.1.5 requires OS X 10.4.11 or later. iPhoto was last updated in July when Apple added holiday greeting card and postcard themes to the iLife â€™08 application.

by Todd Ogasawara, O’Reilly DigitaMedia Blog, October 22,2008

My T-Mobile G1 phone based on Google’s Android platform arrived on Monday. It was a big change for me because I’ve been using Windows Mobile based smartphones since 2002 when I started with the very first T-Mobile Pocket PC Phone Edition. Since Android phones sync directly with Google Calendar and Gmail Contacts, this also meant switching away from Microsoft Outlook on my old Windows XP PC. Given this big change, I thought it might be interesting to see if I could sync Contacts and Calendar with my Mac. One of my goals was to only use tools provided by Apple or Google. I wanted to avoid trust issues involved with using third party web services that worked as an intemediatry between the Google web services and my Mac.

However, before diving into calendars and contacts, I wanted to mention a basic Android feature that works fine with the Mac: The Android phone working as an external flash drive. The G1 comes with a 1GB miniSD card pre-installed (it can work with cards up to 16GB large). I used the supplied USB to miniUSB cable to connect the G1 to my iMac. As you can see the iMac sees it as an ordinary drive formatted using FAT16 which can be read by and written to by almost any desktop/notebook platform. The Mac does not see the internal 256MB system memory used to store applications and systems data, however.

So far, the only data I’ve seen stored on the miniSD card are the photos taken using the 3 megapixel camera (stored in the dcim folder) and music. My miniSD came with 11 songs on it in the Music folder.

Google wants me to sync the G1 only with Gmail’s Contacts and Google Calendar. Google provides a two-way sync tool for Google Calendar and Microsoft Outlook 2003 or 2007 on Microsoft Windows. However, it doesn’t provide any sync tool for Mac OS X’s iCal (or Microsoft Entourage for that matter). Google Calendar can export individual calendars to a ZIP file containing .ics format event data files.
Starting with Mac OS X 10.5.3, however, there is a sync between OS X’s Address Book and Google Contacts.

As you can see from my configuation, I originally had it configured to sync with Yahoo! Mail’s contacts list. And, I added Google Contacts sync. The Address Book option box did not force me to choose just one source to sync with. So, I assume this is acceptable.

Address Book has Always Allow set as for permission to access the OS X keychain.
The problem is that this sync feature doesn’t fully work. As far as I can tell, new contacts added to Google Contact syncs with Address Book. However, changes to existing contacts do not flow from Google Contacts to Address Book. I had hoped to use Address Book to clean up the mess Google created in my Google Contacts list. Google finally changed their behavior of auto-updating the list within asking me yesterday. But, the damage of the years prior to this change remains.

The upshot is that I was not able to sync anything using my original criteria of using only Apple or Google provided tools. So, my next set of projects involves taking a look at these third party tools as a possible solution to partnering my G1 phone with my Mac.